• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • April 15th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Technology News

Incapsula – New DDoS Study: Who Needs a Botnet when you have a 4 Gbps DDoS Cannon?

April 27th, 2013 Waqas Technology News 0 comments
Incapsula – New DDoS Study: Who Needs a Botnet when you have a 4 Gbps DDoS Cannon?
Share on FacebookShare on Twitter
Who Needs a Botnet when you have a 4 Gbps DDoS Cannon?

Who Needs a Botnet when you have a 4 Gbps DDoS Cannon?

In recent months the DDoS world has shifted from complex small scale Botnet attacks to much larger network based DDoS attacks, perpetrated largely by hijacked web servers. How many of these hijacked servers are out there remains to be seen. However, Incapsula recently got a very good idea of just how large these DDoS cannons are getting.

Last Saturday Incapsula mitigated a rather small, 4Gbps DDoS attack, but this time it had a different pattern that attracted their attention.

At first sight the attack seemed rather simple, generating 8 million DNS queries per second, to many domains, from spoofed IP addresses (using real domain name servers’ IPs). But this time it included a hint about where it was coming from: all that traffic was coming from the same source. Probably on the same network, maybe even the same device

Tracing it to a single Source – TTL Giveaway

Incapsula team was able to trace the attack to a single source because this time the attackers slipped-up and did not randomize the requests TTLs, making all the traffic arrive with the same IP TTL.

The TTL parameter is part of the Internet Protocol. It’s a field that designates how many routers a packet is allowed to pass before it expired. Every router along the way decrements the counter, until it expires (many diagnostic tools, like trace route use this attribute). Of course, like many other fields, its value can be spoofed and randomized, but it is almost impossible to make millions of packets from many sources have the same TTL when they reach their destination. And this is exactly what the team Incapsula saw.

ddos-trace-ttl (1)

Are Authoritative Name Servers next on the exploit list?

Another interesting point our team saw, is that the spoofed addresses belonged to DNS servers, but not all were open DNS revolvers  In fact, many of these IPs were of authoritative name servers.

The reason for the non-random selection of IPs was to avoid blacklisting mechanisms. But it means that hackers are also collecting information about authoritative name servers. Using these in reflection attacks is a bit more complicated (it means building a database of domains with large DNS responses), with much smaller amplification factor, but they are much more difficult to lock down than open DNS resolvers.

So… what does this mean?

This means that the stakes just got higher. Just for comparison, at the rate of this attack, if it had used DNS amplification, with an average amplification factor of 50 – it would have generated a 200+ Gbps DDoS attack, all from a single source/computer!

What do we know about this source?

  • It is either custom hardware, or a cluster of machines sharing the same network. It is (almost) impossible for a single machine to generate this kind of traffic.
  • It could utilize 4Gbps of upstream bandwidth, without anyone noticing.

These days it doesn’t take a Botnet to launch massive DDoS attacks. It doesn’t even take hundreds of servers, from multiple hosting providers. Today, that kind of massive firepower can be obtained from a single DDoS Cannon, from a single location and perhaps even one single server

[Via: Incapsula]

Follow @HackRead

  • Tags
  • DDoS Cannon
  • Incapsula
  • New DDoS Study
Facebook Twitter LinkedIn Pinterest
Previous article 33 Israeli Websites Hacked by CapoO_TunisiAnoO
Next article Iraqs' Ministry of Oil Website Hacked & Defaced by Iraqi-Top Hacker
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
What are the future prospects of a Cloud architect?

What are the future prospects of a Cloud architect?

Study: Android sends more data to Google than iOS to Apple

Study: Android sends more data to Google than iOS to Apple

A child sent out gibberish tweet from official US Nuclear-agency account

A child sent out gibberish tweet from official US Nuclear-agency account

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
Unpatched MS Exchange servers hit by cryptojacking malware
Security

Unpatched MS Exchange servers hit by cryptojacking malware

Indian supply-chain giant Bizongo exposed 643GB of sensitive data
Leaks

Indian supply-chain giant Bizongo exposed 643GB of sensitive data

FBI accessing computers across US to remove malicious web shells
Security

FBI accessing computers across US to remove malicious web shells

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us